Distant Desktop ( Free Remote Desktop Software)

britechguy said:
Citation(s) please.
Click to expand...

BitLocker enabled by default

Solution: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlockerNote: BitLocker automatic device encryption is enabled only
community.spiceworks.com

docs.microsoft.com

BitLocker drive encryption in Windows 11 for OEMs

OEMs can configure hardware to support Windows 11 automatic device encryption.
docs.microsoft.com

They only do it on modern devices that have TPM/DMA enabled (which most modern computers do). The oldest device I've seen it with has been an 8th gen. It sucks nuts when a client brings in a computer that won't turn on and the drive is encrypted. They're frustrated because they didn't turn on encryption and it drastically increases the cost of recovering the data. I have to somehow get into their Microsoft account and get their Bitlocker recovery key. If they can't remember their Microsoft account email address and/or can't get access to their Microsoft account, they lose all their data. This is just another push by Microsoft to get everyone paying for cloud services. It's absolute BS and why I NEVER recommend using a Microsoft account. Who knows what other terrible things they're going to implement in the future?

Most people on here don't get the type of clients I get (i.e. wealthier clients with newer computers) so I'm not surprised no one is talking about this yet, but I encounter this BS all the time. I charge $300 to back up their data if it's encrypted with Bitlocker. Then if the computer is fixable I'll convert them to a local account so this doesn't happen to them again. Of course, Microsoft is always trying to trick you into setting up the computer with a Microsoft account so this really worries me. Their latest nag screen is full screen and it isn't obvious that you can cancel it. The only option is "continue" or "remind me in 3 days." The way you skip it is by hitting "continue" hitting "maybe later" on the next screen, then "cancel" on the screen after that.

Microsoft has no right to use underhanded tactics to trick computer illiterate people into signing the rights to their data away. I hope they get sued into oblivion for this BS.
 
Thanks for the references. The one from MS itself regarding automatic activation states:

BitLocker automatic device encryption is enabled when:
  • The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
  • UEFI Secure Boot is enabled. See Secure Boot for more information.
  • Platform Secure Boot is enabled
  • Direct memory access (DMA) protection is enabled

I'm not counting on the majority of devices being shipped with every element required configured. Business class machines probably will be, but businesses tend to love drive encryption, even when it's not necessary.

I am, however, with you when it comes to drive encryption. It should ALWAYS be an opt-in, not an opt-out. I've seen more misery due to encryption gone wrong than I care to think about.

And it's currently "the mad fad" to encrypt anything and everything without any consideration of whether it's needed, wanted, or of the potential downsides.
 
sapphirescales said:
You forgot to mention Microsoft's new sh*tty policy of encrypting your drives without your permission when you're using a Microsoft account. That's always fun.
Click to expand...
That's not Microsoft's policy, it's a setting presented to the user. They must click OK, and the keys are in the account, also not MS's fault people can't keep track of their junk. It IS generally better to have data encrypted at rest.

As for the above, it applies to all systems gen10 and younger, older systems are missing at least one of those features.
 
britechguy said:
I'm not counting on the majority of devices being shipped with every element required configured.
Click to expand...
I'm seeing quite a few of them. I don't get in many low end laptops but I did see one that was only worth about $400 come in with automatic encryption.

Sky-Knight said:
That's not Microsoft's policy, it's a setting presented to the user.
Click to expand...
Sneakily maybe. This should be something optional that the user has to specifically choose to enable, not enabled by default unless the user opts out.

Sky-Knight said:
It IS generally better to have data encrypted at rest.
Click to expand...
Maybe for business users with sensitive data, but for home users it's idiotic. They're MUCH more likely to have a device failure and need their data recovered than encounter a situation where a bad actor has direct, physical access to their computer. A computer isn't a smartphone. Nobody is bringing their laptop everywhere they go. There's no need to make encryption default. The ONLY reason why Apple and Microsoft are doing this BS is so that people will lose their data and they can go "See? You should have been paying $XX/month for cloud backup!"
 
Sky-Knight said:
They must click OK, and the keys are in the account, also not MS's fault people can't keep track of their junk.
Click to expand...

And about the first part, we're in absolute agreement. If someone doesn't bother to even do a quick and dirty reading of what they're clicking a choice for then they have no one to blame but themselves. I push this point all the time, and I'm not talking about not reading EULAs, but dialogs during an install.

And the fact that "people can't keep track of their junk," is one of the very reasons I love, love, love the Microsoft Account concept. A lot of things get stored there that almost invariably got lost when the only thing that they came on were paper or plastic cards that the end user was responsible for filing.

It also makes resetting a password when that need arises much easier, as I can generally walk a client through the "Forgot password" process at Microsoft.com and have the new password automatically propagate to the computer in question when they use it the first time.

But each to his or her own taste.
 
britechguy said:
I like the convenience of having any Microsoft service open "automatically associated" with the Microsoft Account
Click to expand...
That still happens for me too!
When using Windows 10 with local account, it still keeps track of the MS Account(s) used. A new app that requires an MSA prompts with my MSA recorded from previous uses, after that the app logins into the account automatically.

Everything works pretty much the same whether it's local account or MS Account login (except for sync of personalisation settings).
 
One thing everyone here can do?

Settings, search for notifications, see those 6 boxes? Untick the bottom 3... it kills SO MANY NAGS, including that forced enrollment.

@sapphirescales And I'm sorry but you're wrong. SSDs fail far less than HDDs do. And now users are more likely to have their data stolen than have a drive fault. I know it doesn't feel like that because all we see on our benches are the problem children, but that's the truth. The information needs defended from theft.

That being said, I really wish MS wouldn't encrypt disks automatically unless the unit is connected to an MS365 subscription of some sort, because OneDrive is the way out for users collectively. It's all too easy to lose track of that account, and users do indeed get into that situation.

But here's the rub...

Your Android / iOS device? Yeah... it's encrypted at rest. So why is Microsoft getting a black eye for doing the same thing?
 
Sky-Knight said:
Settings, search for notifications, see those 6 boxes? Untick the bottom 3... it kills SO MANY NAGS, including that forced enrollment.
Click to expand...
Thanks for that, I didn't know about those settings. I have started getting questions from clients about that full screen prompt for an account name, happens after login to their local account occasionally.

If MS is so insistent on MS Account login that they're trying to trick users into using it, makes me suspicious. There is obviously some commercial benefit in that strategy, which might be detrimental to the consumer. I'm unsure of the exact strategy but it doesn't look good...
 
Sky-Knight said:
SSDs fail far less than HDDs do
Click to expand...
I see bad SSDs regularly. Besides, it's not just SSD failure that's the problem here. The problem is when the computer dies there's no way to get their data back unless you can somehow get into their Microsoft account from another computer and get their recovery key.

Sky-Knight said:
defended from theft
Click to expand...
Yeah, because a HUGE percentage of laptops get stolen every year, right? Get real. There are over 244 million laptops in the US, and only about 600,000 get stolen, mostly from airports. A lot of those stolen laptops probably belong to foreigners too, so you shouldn't count those as a percentage of US laptops that get stolen, but even if you did, that's only 0.00245% of laptops that get stolen. SSD annual failure rates are WAY higher than that, and if you don't travel much the chances of your laptop getting stolen is even less.
 
Sky-Knight said:
Your Android / iOS device? Yeah... it's encrypted at rest.
Click to expand...

Uh, not on mine, it's not. And I'm running a variant (MIUI 12.0.1) of Android 9. And, yes, I double checked the encryption settings before posting. I know for fact I never changed this from defaults. Nor is it on my partner's slightly older device, running MIUI 11 based on Android 8.
 
Sky-Knight said:
Your Android / iOS device? Yeah... it's encrypted at rest. So why is Microsoft getting a black eye for doing the same thing?
Click to expand...
Because Windows computers tend to have more serious content than mobile devices, and because computers are traditionally easy to recover data from by removing the drive or booting from USB device (both of which can't be done with mobile devices as far as I know).
 
fincoder said:
Because Windows computers tend to have more serious content than mobile devices, and because computers are traditionally easy to recover data from by removing the drive or booting from USB device (both of which can't be done with mobile devices as far as I know).
Click to expand...

Incorrect... all data is on all devices. There is no segmentation of data the way you describe. It's either all important, or none of it is. Because we technical providers have no clue what data is important vs isn't... and giving users multiple places to stick things always results in data being misfiled, and lost.

What the mobile device enforces is your proper use of cloud storage to back the thing up... Which *gasp* Microsoft is trying to do here too, much to everyone's constant drum beat of complaining. Encryption at rest, and cloud replication are STANDARD PRACTICES it's 2021, time to get with the program.

Google and Apple don't even give you a choice. Microsoft you can use other options, and even go full retard and back away from all this. But that's your call to make, it shouldn't be normalized. The choice is there, and when you half make it the untaken responsibility blows up in your face. This is LIFE!

But the nags COULD be better worded... and it does make things more convenient to just have the online account merged with the local one. I still don't like working that way myself, logging into each app individually. But the design ethos is clear, and works pretty well. It's the partial buy in that burns it.

@britechguy You're running older devices with bad settings. My Pixel 3a is encrypted, and was so just as soon as it saw a google account, which is mandated to set the thing up. All current Samsung devices are the same, because they also meet the same security metrics. If you go to the store and buy a brand new phone NOW that can actually properly support Android 11, it'll be encrypted as soon as you sign into it. The same holds true for all current iPhones.

What I find silly about that is all of these devices have non-removable storage... so reading the chips requires removing them from the board and stuffing them into something that can read them. That's an inordinate amount of work before the encryption becomes relevant... and yet it's there. The fact that your two devices aren't doing it is the abnormality. And you're right int he past it wasn't normal, but it is NOW. And going forward things will be this way.

For everyone else, never forget those three boxes... they're on my short list of most annoying boxes in the world right now. They're PER ACCOUNT TOO! So doing them once per machine isn't enough. I'm still trying to figure out how to powershell that. Domain member machines default to those three OFF, not a domain member... on... Because while I understand and agree with what MS is doing, our clients sometimes want stuff differently. And that's just the way it is.
 
Last edited:
Googles Pixel phones have their primary storage encrypted by default when they're built.
This article from Nov 2016, you can Google it and find many..many supporting articles.
blog.google

Pixel Security: Better, Faster, Stronger

The new Google Pixel and Pixel XL are encrypted by default to offer strong data protection, while maintaining a great user experience with high I/O performance and long …
blog.google blog.google

I'm on a cheapy 4a now, but my 2 had it on by default.

Obviously since I'm in IT and I store a lot of important info regarding clients, credentials, etc....everything I have, I want encrypted...full disk. Laptop, tablet, desktop, phone, USB drives. I want zero risk if something is lost/stolen. I'd be negligent if I didn't encrypt my stuff.

Regarding the question of "full disk"..versus..."only a folder or a few folders"...you want full disk encryption (FDE). This way if something is lost of stolen, there is zero question that any/all data on that device is protected. If a nurse loses a laptop doing a home visit, and the states attorney general asks if there was any potential risk of data breach...you cannot give a "No" as an answer if you only protect certain folders. Because....they will ask you to "prove it". You cannot prove that some Word document was on the desktop by mistake, instead of the Documents folder. You cannot prove that Outlooks OST/PST was protected. Unless....you have FDE. If you have FDE, you don't give a rats arse where the dumb end user stored the files. Doesn't matter! Entire disk was encrypted, it's all good. Oh...and since you're using a proper biz grade solution like Bitlocker for example...you're also able to audit the health/status of that laptops drive encryption on a regular basis (either via Azure, inTune, or a group policy, etc)...and produce a log showing the status at the time of the laptop being lost. You can hand over that log and be all safe 'n good! I just took over a large CPA firm from a competitor and had to disable/uninstall some freebie 3rd party veracrypt offshoot of truecrypt on about 15 laptops...so I could get Bitlocker on there, working towards proper compliance.
 
YeOldeStonecat said:
you cannot give a "No" as an answer if you only protect certain folders.
Click to expand...

Oh, contraire, you absolutely can. You should be keeping any protected information only in encrypted folders (and, thus, the files in them are encrypted, too).

They cannot "prove" that you're telling the truth no matter what you tell them, absent the device in question being recovered. I'm not proposing falsifying anything, either. But if you follow NECESSARY procedures to protect SENSITIVE data, that is all you are obligated to do. I had to deal with HIPAA compliance for some years as a clinical practitioner, not on the IT end, and you did not have to be using devices with full drive encryption to be within the law.

What may be desirable for ease of coverage is a completely separate thing from what is required for compliance with the law, depending on with what law it is one is trying to comply. And full drive encryption is thought of (and incorrectly, in my opinion) way to "cover all bases."

I store a lot of sensitive client-related stuff on my smartphone, too, using one application: Password Safe. Nothing, ever, is stored elsewhere unencrypted (unless you want to argue about contacts, and I don't. My client list isn't legally protected information under any law of which I'm aware). And I challenge anyone who finds the device to figure out my password safe password. It's more secure than the device itself is (which uses a code or fingerprint to unlock).
 
Sky-Knight said:
Which *gasp* Microsoft is trying to do here too, much to everyone's constant drum beat of complaining.
Click to expand...
OneDrive backup is a good idea for many people, I suggest it and help people with it all the time. There are however some legitimate complaints about technical issues, e.g.

An outlook PST file in Documents\Outlook Files (the default place for them for the last 10 years) prevents OneDrive from backing up the Documents folder. It won't even skip the file and back up the rest! Same with Sticky Notes files created in previous Office versions. These are both Microsoft apps, why can't Microsoft's OneDrive have a mechanism to handle these files? (rhetorical)
Sky-Knight said:
But the nags COULD be better worded...
Click to expand...
In my opinion, MS puts a lot of effort into the wording of those nags, to achieve what they want users to do without appearing to be bullies, and to still allow business and enthusiast users to bypass them. They're not badly worded due to incompetence, it's by design.

The first obvious Microsoft 'deception' was when thousands (if not millions) of users upgraded to Windows 10 without them realising they'd agreed to it. That's when they changed the upgrade request window to default to 'sure go ahead' when closed with the X in the top right corner, previously the default when closing was 'go away'. I have no problem with Microsoft encouraging the upgrade, but using deception to do it?

Another 'deception' they've been using for years is when a local account user specifies a MS account for an app, there's a dialog box titled 'Use this account everywhere on this device' with some text about apps (nothing about login) and a big Next button, and there's a Microsoft Apps Only option in small font. Nothing about this dialog indicates that pressing Next (most people's natural inclination) will change the computer login to use the online Microsoft account, or that clicking MS Apps Only allows them to keep their account setup as is. The wording of this dialog is why so many ordinary users end up switching from a local account (originally setup by a tech or the OOBE without internet connection). And why we often get said users complaining that their password doesn't work next time they login, they know nothing about MS account login, so obviously did not explicitly agree to the change. This isn't a rare occurrence, so we can't just blame some people for being stupid.
 
fincoder said:
That's when they changed the upgrade request window to default to 'sure go ahead' when closed with the X in the top right corner, previously the default when closing was 'go away'. I have no problem with Microsoft encouraging the upgrade, but using deception to do it?
Click to expand...

That was, and remains, at the top of my list of sleaziest and most damaging deceptions of all time. It was so utterly stupid, and damaging to Microsoft, that I have no idea how it ever made it out "into the wild."
 
fincoder said:
Another 'deception' they've been using for years is when a local account user specifies a MS account for an app, there's a dialog box titled 'Use this account everywhere on this device' with some text about apps (nothing about login) and a big Next button, and there's a Microsoft Apps Only option in small font. Nothing about this dialog indicates that pressing Next (most people's natural inclination) will change the computer login to use the online Microsoft account, or that clicking MS Apps Only allows them to keep their account setup as is. The wording of this dialog is why so many ordinary users end up switching from a local account (originally setup by a tech or the OOBE without internet connection). And why we often get said users complaining that their password doesn't work next time they login, they know nothing about MS account login, so obviously did not explicitly agree to the change. This isn't a rare occurrence, so we can't just blame some people for being stupid.
Click to expand...
Same here. Usually because of some darn game in the Windows store.
And they do not remember what they used for the password.
Has made me money though, sometimes once but not always once with the same client.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Probably one of the dumbest things I've ever heard of.
Replies
14
Views
711
timeshifter
timeshifter
Metanis
[TIP] Company setting itself up as a TeamViewer alternative.
Replies
5
Views
1K
britechguy
britechguy
A
Remote Desktop software not working on Windows 11
Replies
13
Views
3K
alexsmith2709
A
U.V.K
UVK and Tech Tool Store: Product updates
2 3
Replies
41
Views
4K
U.V.K
U.V.K
P
Anyone have a good remote to mobile solution
Replies
1
Views
1K
seashore
seashore
Back
Top